These profiles will be mapped to the WLANs using tags (Any configuration not defined in the table assumes default settings):
Since VLANs are different, two profiles are created one for each WLAN. Policy profile covers device sensor, default VLAN, CoA, and RADIUS Accounting.
Note: The Authorization name 'default' is significant here since there is no Authorization list that can be defined within the 802.1X WLAN. Enter following information for AAA Authorization list that will be shared for both SSIDs:.Go to Configuration > Security > AAA > AAA Method List > Authorization, Click Add Note: If clients are failing to associate and authentication request does not show up on ISE Live Log, try setting the authentication list name to 'default' as shown above. Go to Configuration > Security > AAA > AAA Method List > Authentication, Click AddĬreate Authentication list using following information that will be used for both OPEN SSID and SECURE SSID:.Go to Configuration > Security > AAA > Servers / Groups > Servers, Click AddĮnter following information (Any configuration not defined in the table assumes default settings):.It also includes the suggested order to create the profiles that maps to the main section of the document. The bullet points within the profile that are in bold represents sub profile being fed into the profile. Each box represents individual configuration profile with relevant options shown and how each profile feeds into other profiles to make a working configuration. It is enabled by default but to enable it run 'ip http server' (For HTTP redirect) and 'ip http secure-server' (For HTTPS redirect)įollowing diagram shows the C9800 configuration at a high level. URL redirect feature requires that the http (optionally https) server service on the 9800 be enabled.With FlexConnect mode, URL filter is tied to the redirect ACL within the flex profile, so URL filter does not need to be called upon via separate RADIUS attribute.More information on this at the end of the document on ISE section. URL entries needs to be defined in the URL Filters and called upon via separate RADIUS attribute during the authentication. With local mode, unlike AireOS, DNS ACL entries are not tied to the redirect ACL.So permit statement means the matching traffic is redirected, while deny means it will be allowed without redirect Redirect ACL follows Catalyst IOS syntax instead of AireOS syntax.
Alternatively standard RADIUS 3 tuple attributes can be used for VLAN assignment using VLAN name/ID The VLAN needs to be pre-created on C9800. If dVLAN needs to be applied to a session, use AireSpace-VLAN-Name (5) attribute to send down a VLAN name/ID.If static ACL needs to be applied to a session, use AireSpace-ACL-Name (6) attribute to send down a ACL name.The following diagram and table shows settings for the components. The document also assumes underlying network elements are already configured, which includes, VLANs, SVIs, Subnets, DHCP, routing, and DNS.
The document assumes the C9800 is accessible from the management PC and AP is associated to the C9800.
The document does not cover details on how to bootstrap the ISE, C9800, and AP. ISE: 2.4p3 (Previous versions of ISE should work with C9800 as well) For more information on Cisco Catalyst 9800 series, please go to:
You may then Print or Print to PDF or copy and paste to Word or any other document format you like.Ĭisco Catalyst 9800 (C9800) series wireless controller configuration is different from AireOS and this document shows how to configure C9800 to work with ISE. For an offline/printed copy of this document, simply choose Options > Printer Friendly Page.